SSL Certificate Common Name and SAN names
I can't seem to find a straight answer to this question for the environment we are running. We have one exchange server 2007 with only OWA running. We are considering installing BESX for our blackberry users. We currently have a self-signed certificate and therefore require to purchase an SSL cert. My confusion is what name or names are required for the certificate and what will be visible if someone chooses to view the details of the certificate. I've read that NetBIOS name and internal server.domain.local names are discouraged from being used for the certificate. Here's the info from my exchange server: 1. In Server Configuration, Hub Transport, Default Receive Connector shows ex: exch1.internaldomain.local as the FQDN; Client Receive Connector is the same 2. Organization Configuration, Hub Transport, Accepted Domains is "internaldomain.local" and "emailaddress.com" 3. Organization Configuration, Hub Transport, Send Connectors is "mail.emailaddress.com" 4. We are not using Outlook Anywhere and may use ActiveSync if non-blackberry users want to connect, but so far there seems to be no interest. 5. OWA in Server Configuration, Client Access, FQDN is : Internal is https://exch1.internaldomain.local/owa and External is https://mail.emailaddress.com/owa 6. I assume that autodiscover is working since when creating a new user on a workstation and launch Outlook 2007, the connection to the server auto-generates all the info about the user's mailbox, etc. Is mail.emailaddress.com and autodiscover.emailaddress.com sufficient for the SSL certificate?
December 7th, 2011 2:12pm

Yes, those 2 names are sufficient for the SSL cert. Make sure mail.emailaddress.com is your common name Sukh
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2011 4:30pm

Thank you so much! Wish me luck!
December 8th, 2011 8:06am

good luckSukh
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2011 8:12am

Well... that partially worked. OWA and autodiscover work fine but my Outlook 2007 clients get a Security Alert saying that "The name of the security certificate is invalid or does not match the name of the site." and I know that is because I haven't entered the server.domain.local in the certificate (the reason being is that I don't want that to be visible on the certificate). So now what do I do?
December 9th, 2011 11:13am

Set the variour URL to what's on your cert http://support.microsoft.com/kb/940726Sukh
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2011 11:49am

I know I don't need to do #5 but how do I know I have an OAB directory or not, and do I do both CAS and EWS or just CAS?
December 9th, 2011 1:02pm

You probaably dont need #5 but I would just to keep everything consistent. Get-OABVirtualDirectory Sukh
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2011 2:34pm

Thank-you. I'll will apply all, except 5 since I don't run UM, over the weekend.
December 9th, 2011 3:17pm

I effected the changes and I still get a Security Alert but it now shows the CN from the SSL certificate and if I view the certificate it's not the SSL certificate but my firewall. Any more advise you could give me would be greatly appreciated! (BTW, I still can send a receive email) As stated in my original post, when creating your SSL certificate, the mention that it is not recommended to put your NETBios name or internal domain.local name, but if the certificate is not used for a webserver and only for the OWA and smartphone users can see the certificate, if they know where to look, what's the reason behind that recommendation?
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2011 9:37pm

Run Get-ExchangeCertificate | fl And see which one is assigned to IISSukh
December 9th, 2011 10:32pm

The third-party certificate shows IMAP, POP, IIS, SMTP. I have not removed the self-signed certificate which shows SMTP.
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2011 7:59pm

And your URL's are set correctly?Sukh
December 12th, 2011 2:42pm

Yes. I've been reading a lot of info on this and the SAN internal name of the domain keeps being mentionned as having to be added. this is the .local name that the server has. As asked in the previous reply, it seems to be that it would be fine to add this to the certificate since no one would have access to viewing it in the outside world since my server is not a webserver (for online shopping, etc.) just for staff to view mail in OWA and with a smartphone. Do you have any thoughts to this? Also, having the self-signed certificate still valid with SMTP, does it not conflict with the new third-party certificate?
Free Windows Admin Tool Kit Click here and download it now
December 12th, 2011 2:54pm

SMTP 3rd party cert, if you dont use TLS for SMTP then I wouldn't worry about this. You can add the local server name FQDN if you wish, there's no harm to doing this. Sukh
December 12th, 2011 3:05pm

I will had the FQDN of the local server and see what happens. Thanks
Free Windows Admin Tool Kit Click here and download it now
December 12th, 2011 3:09pm

Seems to have done the trick.
December 12th, 2011 3:17pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics